The Department for Science, Innovation and Technology (DSIT) has released the latest in its studies of cyber security. Three-quarters of businesses (75pc) and slightly more charities (79pc) have experienced a cyber incident within the last 12 months.
Only around one-quarter of businesses (23pc) and charities (24pc) experiencing incidents in the last year report material consequences (such as, loss of money or data).
Cyber profile
As for the cyber profile of those studied, almost all businesses (96pc) and charities (98pc) have a cloud or physical server to store data. Charities are more likely than businesses (56 per cent versus 35pc) to allow their staff to access their systems using a personal device. About half of businesses (55pc) and charities (45pc) have a member on their board responsible for oversight of cyber. A majority have a written procedure for responding to cyber incidents (59pc of businesses, 56pc of charities).
Covered besides cyber security are resilience, awareness and usage of the UK official Cyber Essentials standard, record keeping, internal and external reporting, who takes responsibility for cyber, and the monitoring of supply chains. Respondents were asked about whether they have any of five best practice documents for governance: a cyber security business continuity plan, documentation to identify critical assets, a written list of IT vulnerabilities, a risk register, and a document outlining how much cyber risk they are willing to accept. While around nine in ten have at least one of the five (89 per cent of businesses and 92pc of charities) only minorities (22pc of businesses, 16pc of charities) have all five in place.
This DSIT Cyber Security Longitudinal Survey is not the same as the Cyber Security Breaches Survey.
Comments
William Wright, CEO of the cyber firm Closed Door Security, said: “This new survey highlights how vulnerable UK organisations are to cybercrime today, and the need for them to prioritise their defences. The data shows that while many organisations are taking steps to expand or improve their defences over the next year, there is still a large gap in terms of cyber featuring in board and wider company decisions.
“Organisations must move away from treating cyber as an IT issue. It impacts every single business area, so it needs to feature in almost all business decisions. The UK is currently under increased threat from hostile nation states and these countries possess highly advanced cyber skills that can cause real damage to businesses and societies.
Organisations must prepare for these threats and prioritise their cyber resilience. Attacks are not going down, they are only getting worse, and so are their consequences.”
Andy Kays, Socura CEO, said: “Some of these figures are scarcely believable, but as a Government controlled longitudinal survey, these may be some of the most realistic cybersecurity survey figures ever obtained in the UK. While other surveys may skew towards positive and sensational results, tracking the same 1000 businesses over several years shows the grim reality that many UK businesses are not prioritising cyber security, or are making changes to their security posture at a glacial pace.
“In the last year, only half of UK board members have had security training, only a quarter of businesses are assessing suppliers for possible security risks, and a fifth of UK boards failed to discuss cyber security even once. Only 17% of businesses are cyber essentials certified, which is one of the lowest bars for measuring security best practice. These figures are all far from perfect.
“In a way, I think the most positive statistic in the whole survey is the fact that more than half of UK businesses say they rely on external consultation for security. Their reliance on trusted third-party security service providers and vendors may be a factor in the generally poor standards of internal security development.”
And Steve Bradford, Senior Vice President EMEA at SailPoint, said: “With three quarters of medium and large sized UK businesses being hit by a cyber incident in the past year, no industry is untouchable when it comes to cybercrime.
“As AI increasingly bleeds into the mainstream, cybercriminals are utilising ransomware, phishing, and targeted social engineering to infiltrate organisations via vulnerabilities or blind spots in their security posture. We are seeing hackers employ ever more sophisticated tactics as well as an increased number of cyber-attacks across industries in the pursuit of lucrative returns. Many of these attacks, at their root, come down to some sort of compromised identity, with user access points often targeted.
“Taking a unified approach to identity security, powered by AI, can enable organisations to clearly see, understand, and manage who has access to what across an organisation. Properly securing that access can go a long way in avoiding a breach or compromise.”
